I. Scope of personal data processing
sipgate only processes personal data insofar as required for providing a functioning website as well as contents and sipgate services. Users’ personal data is usually only processed if required for fulfilling contractual or legal obligations or with the user’s consent. Cases where it is impossible to obtain prior consent for effective reasons and the data processing is permitted by law form an exception to this rule.

II. Legal basis for personal data processing
In the event of sipgate obtaining consent from the data subject for personal data processing activities, Art. 6 (1) lit. a of the General Data Protection Regulation (hereinafter referred to as “GDPR”) forms the legal basis.
When processing personal data required for fulfilling an agreement to which the data subject is party, Art. 6 (1) lit. b GDPR forms the legal basis. The same applies to processing activities required for implementing pre-contractual measures.
In the event of personal data having to be processed for fulfilling a legal obligation of sipgate, Art. 6 (1) lit. c GDPR forms the legal basis.

Should essential interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.
If the processing is required to maintain a justified interest of sipgate or third party, and if the interests, basic rights and freedoms of the data subject do not outweigh the interest stated above, Art. 6 (1) lit. f GDPR serves as the legal basis for processing.

III. Data deletion / storage period
The personal data of the data subject is deleted or blocked as soon as the purpose for its storage ceases to exist. Data may also be stored if stipulated by European or national legislation in EU directives, laws or other regulations which apply to sipgate. Data is also blocked or deleted if a storage period stipulated by the above standards expires, unless it is necessary to continue storing the data for the conclusion or fulfilment of an agreement.

B. Log files

I. Description and scope of data processing
The sipgate systems automatically collect data and information from the system of the accessing computer each time the sipgate website (and the websites of its affiliated companies) is accessed.
The following data is collected during this process:
Information on the browser type and version, the user’s operating system, internet service provider and IP address, date and time of access, websites from which the user’s system is referred to sipgate’s website, and websites accessed by the user’s system through the sipgate website(s).

The data is also stored in the sipgate log files. This data is not stored together with other personal data of the user.

III. Purpose of data processing
The system has to temporarily store the user’s IP address to display the website on the user’s computer. The user’s IP address has to be stored for the duration of the session for this purpose.
It is stored in log files to ensure the functionality of the website. We also use this data to optimise the website and ensure the security of our IT systems. The data is not analysed for marketing purposes in this respect.

The above-stated purpose also constitutes the justified interest of sipgate in the data processing in accordance with Art. 8 (1) lit. f GDPR.

IV. Storage period
The data is deleted as soon as it is no longer required for fulfilling the purpose for which it was collected. If the data is collected for displaying the website, this is the point at which the respective session ends.
If the data is stored in log files, it is deleted no later than seven days from being collected. Data may be stored for longer periods than the ones stated above. In such event, the user’s IP address is deleted or alienated so that it is no longer possible to allocate it to the accessing client and this data no longer links to a specific person.

V. Option to object and delete the data
The collection of data for displaying the website and storage of data in log files is crucial for operating the website. The user therefore has no option to object.

C. Use of cookies

I. Description and scope of data processing
Our website uses cookies. Cookies are text files stored in the browser and/or by the browser on the user’s computer system. A cookie may be stored on the user’s operating system if the user accesses a website. This cookie contains a characteristic sequence which makes it possible to clearly identify the browser when the website is accessed again.
We use cookies to create a more user-friendly website. Some elements on our website require for the accessing browser to be identified even after switching pages.
The following data is stored and transferred in the cookies for this purpose:
language settings, shopping basket items, log-in information, browser type, operating system, referrer URL (previously visited page), time of server request and IP address.

We also use cookies that make it possible to analyse the user’s surfing behaviour on our website(s).
The following data can be transferred in this manner:
browser type, operating system, referrer URL (previously visited page), time of server request and IP address.

The user data collected in this manner is pseudonymised by technical features. Once this process has been completed, it is no longer possible to allocate the data to the accessing user. The data is stored separately to other personal user data.

When accessing our website(s), users are informed about the use of cookies for analysis purposes and referred to this Data Protection Declaration on an information banner. Information on how the storage of cookies can be prevented by adjusting the browser settings is also provided.

II. Legal basis for data processing
The legal basis for the processing of personal data and use of technically required cookies is Art. 6 (1) lit. f GDPR.
Art. 6 (1) lit. a GDPR forms the legal basis for processing personal data whilst using cookies for analysis purposes with the user’s consent.

III. Storage period, option to object and delete the data
Cookies are stored on the user’s computer from where they are transferred to sipgate. You, the user, have full control over the use of cookies. You can adjust your browser settings to deactivate or limit the transfer of cookies. Previously stored cookies can be deleted at any time (also automatically). Deactivating cookies on the sipgate website may result in not all of the website functions being fully usable.

D. Newsletter

I. Description and scope of data processing
Any email address entered by you when purchasing goods or services on the sipgate website may be used by sipgate to send you a newsletter. The newsletter exclusively contains direct advertising for our own goods and services. We engage external service providers for sending the newsletter.

We record the number of opened and delivered newsletters in this respect.
The newsletters contain a web beacon, i.e. a one-pixel file which is accessed by the server of our service provider when the newsletter is opened. Technical information, such as on your browser and system as well as your IP address and time of request, is collected as part of this request. This information is used for improving the technical aspects of the service on the basis of technical data or the target groups and their read behaviour based on their request locations (which can be determined with the help of the IP address) or access times.

The statistical data collected also includes the determination if the newsletters have been opened and when and which links have been clicked. This information can be allocated to the individual newsletter recipients for technical reasons. However, neither we nor our service provider intend to monitor individual users. The analyses merely serve for us to recognise the read behaviour of our users and to adjust our contents accordingly or to send different contents that meet our users’ interests.

The number of opened and delivered newsletters is recorded to recognise potential technical problems and to improve the contents. This purpose also constitutes sipgate’s justified interest in accordance with Art. 6 (1) lit. f GDPR.

IV. Storage period
The data is deleted as soon as it is no longer required for fulfilling the purpose for which it was collected. The user email address is therefore stored for as long as the newsletter subscription remains active.

V. Option to object and delete the data
The affected user can cancel the newsletter subscription at any time. A corresponding link is included in every newsletter for this purpose.

E. Contact form

I. Description and scope of data processing
The sipgate website contains contact forms that can be used for contacting the company via electronic channels. If the user decides to use this option, the data entered in the input mask is transferred to sipgate and stored.
This data includes: email address, customer number and phone number, if required.

The legal basis for processing data transferred as part of an email is provided by Art. 6 (1) lit. f GDPR. If the email contact aims at concluding an agreement, Art. 6 (1) lit. b GDPR forms an additional legal basis for processing.

III. Purpose of data processing
sipgate exclusively processes personal data from the input masks for processing the contact request. In the case of contact being made via email, this also constitutes the necessary and justified interest in processing the data.
The other personal data processed during the send process serves to prevent the misuse of the contact form and ensure the security of sipgate’s IT systems.

IV. Storage period
The data is deleted as soon as it is no longer required for fulfilling the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent via email, this is the case once the respective conversation with the user has ended. The conversation has been concluded once the respective matter has been clarified in full and final.

V. Option to object and delete the data
The user may withdraw its consent for processing the personal data at any time. In such case, the conversation cannot be continued.

F. zendesk ticket system

I. Description and scope of personal data processing
sipgate uses zendesk, a tool provided by Zendesk Inc., 1019 Market Street, San Francisco, CA 94103, USA, for collecting and processing customer requests. We have concluded a data processing agreement with this company. When customers email sipgate, their email address, customer number and any other information sent are stored by zendesk.

II. Legal basis for personal data processing
Art. 6 (1) lit. f GDPR forms the legal basis for processing data which is transferred as part of an email. If the email contact aims at concluding or fulfilling an agreement, Art. 6 (1) lit. b GDPR forms the legal basis for processing.

III. Purpose of processing
The personal data is exclusively processed for finding a specific solution to customer queries whilst recording and/or processing them. It is essential in this respect for sipgate to be able to contact the respective customer.

IV. Storage period, deletion, option to object and delete the data
Users may request the deletion of their personal data at any time. In such case, the conversation cannot be continued.

G. Fonts

I. Description and scope of personal data processing
We engage the services of the copyright holders of fonts for displaying various fonts. To do so, the IP address of the querying computer is transferred to the copyright holder supplying the font.

III. Purpose of processing
The display of the sipgate website(s) in the requested font.

IV. Storage period, deletion, option to object and delete the data
The IP address is deleted immediately after accessing the font.

H. Google

I. Description and scope of personal data processing
We use the services of Google (Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043 USA) for our work as well as internal and external communication. We have concluded a data processing agreement with this company. As part of our work, various personal data (such as IP address of the querying computer, your name, your email address and other data processed during the conclusion of an agreement and/or its performance by us) is stored on Google servers, if required for the performance of the agreement or communication with the customer (such as email, conclusion of agreements via Google drive).

III. Purpose of processing
Customer contacts and other various processes that are required for the performance and fulfilment of the agreement.

IV. Storage period, deletion, option to object and delete the data
The data is deleted if no longer required and we are not obliged to store it by law.

I. Messaging system

I. Description and scope of personal data processing
We use the services of intercom (Intercom, Inc., San Francisco, CA 94105, USA) for our online communication. We have concluded a data processing agreement with this company. As part of these activities, the IP address of the querying computer is transferred to intercom which provides various online communication services (such as online chat and automatic customer onboarding) for customers on the sipgate website.

IV. Storage period, deletion, option to object and delete the data
The IP address is deleted immediately after closing the session.

J. Web analysis

I. Google Analytics

1. Description and scope of personal data processing
The sipgate website uses Google Analytics, a web analysis service provided by Google Inc.. Google Analytics uses cookies which are stored on the user’s computer and which make it possible to analyse the user’s use of the website. This enables sipgate to analyse the use of the website(s) and thus create even more user-friendly contents.

The additional “User ID” function is also integrated on some websites.

The User ID is a unique, permanent and non-personalised character sequence which we allocate to you as a person and not to a specific device. It enables us to record your visit and ￼user behaviour on our website from various devices (e.g. smartphone, tablet or ￼laptop). The User ID is only allocated to you if we can clearly ￼identify you as a user. This generally is the case when you ￼register for the first time on our website. We do not combine the data collected under the User ID with personal data￼. We only transfer the pseudonymised User ID to Google Universal Analytics and ￼use it as your pseudonym when dealing with Google. Other data and information relating to ￼your account is not transferred to Google. Your user behaviour on our ￼websites is then transferred to the Google servers in the USA, together with your User ID, where it is stored ￼and processed for analysis purposes. Google links the transferred information to ￼pseudonymised user profiles and ￼provides sipgate with a summary of them. sipgate does not combine these transferred user profiles with your personal data. This makes it impossible to allocate the data to specific persons at all times. You can object to the transfer of a User ID to Google by sending us an email with the following subject: “Data Protection: User-ID”.

sipgate has activated IP anonymisation (“_anonymizeIP()” extension) on this website. This means that IP addresses are recorded anonymously by way of IP masking to remove any direct link to persons. The full IP address is only transferred to Google servers in the USA and abbreviated there in exceptional circumstances. The IP address is usually abbreviated within the member states of the European Union or other contracting states of the Agreement on the European Economic Area and transferred to Google servers in the USA in abbreviated form.

3. Purpose of data processing
Google uses this information on behalf of sipgate for analysing the use of the latter’s website, for compiling website activity reports and for providing other services relating to the use of the internet and website for sipgate. Google does not combine the IP address transferred by your browser within the scope of Google Analytics with other data.

4. Storage period
The data is stored for a maximum period of 26 months.

5. Option to object and delete the data
You can adjust your browser settings to block the storage of cookies. However, we would like to point out that you may no longer be able to fully use all of the functions on this website in this case. You can also prevent the transfer of the data created by the cookie that relates to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the respective browser plug-in from the following link (http://tools.google.com/dlpage/gaoptout?hl=de). The web analysis remains deactivated until the Google add-on is deactivated and/or deleted. Please therefore do not delete this add-on as long as you wish to prevent the web analysis. The add-on has to be installed in every browser on every computer. You have to install the add-on separately if you access sipgate services and/or websites from different browsers/computers.
By using this website you agree for us to collect and process your personal data in the manner and for the purpose stated above if you have not installed the above browser plug-in.

6. Data transfer to third countries
As part of the use of Google products, data is stored on servers located within the United States of America. This data usually (see Section VIII. A. 1.) does not relate to a person as it has been anonymised prior to being transferred.

Data transfer to the United States of America is justified by the conclusion of the agreement between sipgate and Google which contains standard contractual clauses developed by the EU Commission.

3. Purpose of data processing
This service is used for monitoring the technical stability of the services provided by sipgate on its websites. This makes it possible to monitor system stability and recognise and improve code errors. The collected data enables sipgate to recognise when and which display errors have occurred and on which operating system. This data exclusively serves to provide sipgate services with the least possible errors and to rectify any errors found.

The above purposes also constitute the justified interest of sipgate in the data processing in accordance with Art. 6 (1) lit. f GDPR.

4. Deletion, option to object and delete the data
All data, such as information on the device used and time of error are collected in anonymised form, stored and deleted immediately once it has been analysed. sipgate is unable, at any time, to link the stored data back to a specific or determinable person. Any entries made by the user are recognised as such by Sentry and never collected.

III. HubSpot

1. Description and scope of personal data processing
sipgate uses HubSpot, a service provided by HubSpot Inc., on its website for analysis purposes. HubSpot Inc. is a US company with branch in Ireland (HubSpot, 2nd floor 30 North Wall Quay, Dublin 1, Ireland, Tel.: +353 1 5187500).
HubSpot uses cookies (see Section III. on cookies) that are stored on the user’s computer and collect certain data. The data collected includes IP address, location, browser, duration of the visit and websites accessed. HubSpot analyses this data and uses it for generating statistics on the use if sipgate’s website(s).

2. Legal basis for personal data processing
Art. 6 (1) lit. a and f GDPR forms the basis for the processing of personal data using the Hub Spot service.

3. Purpose of data processing
The data collected via HubSpot is used for generating statistics on the use of the sipgate websites. sipgate requires these statistics to ensure that the website and all contents operate smoothly and to continuously optimise them.
sipgate further requires the data collected by the HubSpot service to provide users with targeted marketing.

The above purpose also constitutes sipgate’s justified interest in the processing of personal data in accordance with Art. 6 (1) lit. f GDPR.

sipgate uses the data collected via the Hubspot service exclusively for the purposes stated above and never transfers it to third parties.

4. Deletion, option to object and delete the data
You can block the collection of data by HubSpot by blocking the storage of cookies in your browser settings. For instructions on how to do this, please go to http://www.meine-cookies.org/cookies_verwalten/index.html

1. Description and scope of personal data processing
Website visitors can leave comments on some of the websites of sipgate GmbH. To do so, visitors have to give an email address.
When a new comment is stored, sipgate GmbH fully automatically checks if the website visitor has a Gravatar account based on the email address provided by the visitor.
Gravatar is a service that is used to ensure that a profile picture is uploaded only once centrally to be displayed on all websites visited that contain a comment or similar function.

If no Gravatar account has been created for the requested email address, Gravatar immediately deletes the requested email address.

If a Gravatar account has been created for the requested email address, the profile picture of the respective user is automatically displayed on the websites of sipgate GmbH, together with the comments of this user.

3. Purpose of data processing
Displaying the profile pictures of users of the websites of sipgate GmbH.

K. Information transfer

We transfer data only in the following circumstances:

I. Payment types
sipgate transfers the personal data that has been collected and stored to our service providers within the scope of contractual regulations if this is necessary for processing your agreement. Obviously, these service providers are requested to comply with the applicable data protection regulations.
We cooperate with external service providers for the various payment methods available:

II. Affiliated companies
Affiliated companies are companies that are controlled by sipgate. Data may be transferred to affiliated companies. However, we only transfer data if these companies are either governed by this Data protection Declaration or comply with guidelines that provide at least the same level of protection as this Data Protection Declaration.

III. Legal or official obligation
We only disclose the personal data of our customers if required to do so by law or if such transfer is necessary to assert our general terms and conditions of business or other agreements or to protect our rights and the rights of our customers and third parties. This includes an exchange of data with companies specialising in the prevention and minimisation of misuse and credit card fraud. No data is transferred for commercial use by these companies, it is exclusively transferred for the purposes stated above.

L. Social networks

sipgate maintains a presence on the following social networks:

I. Facebook
Facebook is a social network operated by Facebook Ireland Limited (Hanover Reach, 5-7 Hanover Quay, Dublin 2 Ireland). sipgate maintains a Facebook page (fan page).
If you have logged into your Facebook account and use the sipgate Facebook fan page, Facebook gives us access to your “public information” on Facebook that you make available to the public or approve for the respective application via a technical interface. On Facebook, “public” means that everyone, including persons outside of Facebook, can see your data. This includes your name, profile picture, cover photo, gender, networks, “Likes”, user name (Facebook URL) and user ID (Facebook ID).

Based on the Facebook data protection policy, Facebook decides which data is permanently accessible to the public and which you can make accessible by adjusting your privacy settings.

II. Twitter
sipgate maintains a Twitter account. Twitter is a microblogging service operated by the US company Twitter, Inc. (795 Folsom Str., Suite 600, San Francisco, CA 94107).

I. Description and scope of personal data processing
We collect your title, name, address, date of birth and payment information within the scope of the conclusion of an agreement.

In addition to the existing data, e.g. from the customer order, sipgate also uses your traffic and user data. Traffic and user data include data created during telephone calls or through other methods via the network used by sipgate (SMS / MMS, data services).

III. Purpose of personal data processing
The traffic data is created when the telecommunication connection is established and maintained and is required for invoicing purposes. It is stored, processed and used for a maximum period of six months from dispatch of invoice.

The existing data is required for performing the agreement.
The email address is also required for contacting the customer (sending invoices and other product-related information).

IV. Storage period, option to object and delete the data
The data is deleted as soon as it is no longer required for fulfilling the purpose for which it was collected.

In accordance with the German Telecommunications Act (Telekommunikationsgesetz – TKG), we are obliged to store the existing data until the close of the calendar year following the termination of the agreement. Any longer data storage periods required in accordance with commercial law, such as for invoices (German Commercial Code (Handelsgesetzbuch – HGB) or German Tax Code (Abgabenordnung – AO)) are binding.
Users may request the deletion of their personal data at any time. Upon receipt of such request, sipgate deletes the personal data, unless obliged to store it in accordance with commercial law.
Please also refer to the general terms and conditions of business and specification of services applicable to the respective product.

N. Rights of the data subject

If a user’s personal data is processed, this user becomes a data subject within the meaning of the GDPR. As a data subject, you have the following rights against sipgate, unless stated otherwise in the individual data processing regulations above:

I. Right to information
You may request confirmation if sipgate processes your personal data.

In the event of your personal data being processed, you may request the following information from the controller:

4. Planned storage period for your personal data or criteria for determining the storage period if it is impossible to specify;

5. Existence of the right to correction or deletion of your personal data, the right to limit its processing by the controller or the right to object against such processing;

6. Existence of the right to complain to a supervisory authority;

7. All information available on the origin of the data if the personal data is not collected from the data subject;

8. Existence of an automated decision-making process, including profiling, in accordance with Art. 22 (1) and (4) GDPR and, at least in these cases, meaningful information on the logic involved as well as the consequences and intended effects of such processing on the data subject.

You have the right to request information regarding the question if your personal data is transferred to a third country or international organisation. You may request to be informed about the suitable guarantees in accordance with Art. 46 GDPR relating to the data transfer in this respect.

II. Right to correction
You have the right to request the correction and/or completion of the data from the controller if your processed personal data is incorrect or incomplete. The controller must correct the data immediately.

III. Right to deletion

1. Obligation to delete data
You may request for the controller to delete your personal data immediately. The controller is obliged to delete such data if one of the following reasons applies:

a) Your personal data is no longer required for the purposes for which it was collected or processed in any other manner.

b) You withdraw your consent for the processing in accordance with Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR and there is no other legal basis for such processing.

c) You object against the processing in accordance with Art. 21 (1) GDPR and there are no overriding justified interests for the processing or you object to the processing in accordance with Art. 21 (2) GDPR.

d) Your personal data has been processed illegally.

e) Your personal data has to be deleted in order to fulfil a legal obligation under EU law or the law of the member states applicable to the controller.

f) Your personal data was collected with regard to services offered by the information company in accordance with Art. 8 (1) GDPR.

2. Information transfer to third parties
If the controller has published your personal data and is obliged to delete it in accordance with Art. 17 (1) GDPR, the controller shall implement adequate measures, including technical measures that take into consideration the available technology and implementation costs, to inform the controllers that are processing the personal data that you, the data subject, have requested the deletion of all links to this personal data, copies or duplicates thereof.

3. Exceptions
The right to deletion does not exist if the processing is required for

a) Exercising the right to freedom of speech and information;

b) Fulfilling a legal obligation which is governed by EU law or the law of the member states applicable to the controller, or performing a task transferred to the controller which is in the interest of the general public or necessary to enforce the orders of a public authority;

c) Reasons of public interest with regard to public health in accordance with Art. 9 (2) lit. h and i and Art. 9 (3) GDPR;

d) Archiving purposes that are in the interest of the general public, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR if the right stated in Section a) can be expected to make the realisation of the objectives of such processing impossible or if it would significantly impair it; or

e) Asserting, enforcing or defending legal claims.

IV. Right to information
If you have asserted the right to correction, deletion or limitation of processing against the controller, the latter is obliged to notify all recipient to which your personal data has been disclosed of such correction and deletion of the data or its limitation of processing, unless this is impossible or would incur disproportionate costs and effort.

You have the right to be notified by the controller about such recipients.

V. Right to data transferability
You have the right to receive your personal data which you provided to the controller in a structured, standard and machine-readable format. You also have the right to transfer this data to another controller without being restricted by the controller to whom the personal data has previously been provided, if

The processing is based on consent in accordance with Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or an agreement in accordance with Art. 6 (1) lit. b GDPR, and
Automated methods are used for processing the data.

In execution of this right, you further have the right to enforce that your personal data is transferred directly from one controller to another, insofar as this is technically possible. Such actions may not impair the freedoms and rights of other persons.

The right to data transferability does not apply to personal data processing that is required for fulfilling a task transferred to the controller that is in the interest of the general public or necessary to enforce the orders of a public authority.

VI. Right to object
You have the right to object against the processing of your personal data based on Art. 6 (1) lit. e or f GDPR at any time and for reasons arising from your specific situation; the same applies for any profiling based on these regulations.

The controller will no longer processes your personal data in this case, unless it can provide evidence of compelling reasons worth protecting for the processing which outweigh your interests, rights and freedoms, or the processing serves to asset, enforce or defend legal claims.

If your personal data is processed for the purpose of direct advertising, you have the right to object to the processing of your personal data for such advertising purposes at any time; the same applies to profiling that is related to such direct advertising.

If you object to the processing for the purpose of direct advertising, your personal data will no longer be processed for such purpose.

You have the option to assert your right to object by using automated methods that employ technical specifications in connection with the use of services provided by the information company, regardless of Directive 2002/58/EC.

VII. Right to withdraw the data protection consent declaration
You have the right to withdraw your data protection consent declaration at any time. The withdrawal of this consent does not affect the legality of the processing based on the consent until its withdrawal.

VIII. Right to complain to a supervisory authority
Notwithstanding any other remedy under administrative law or before the courts, you have the right to complain to a supervisory authority, particularly in the member state where you reside, work or where the alleged violation took place if you are of the opinion that the processing of the respective personal data violates the GDPR.

The supervisory authority to which the complaint was submitted informs the complainant of the status and results of the complaint, including the option of legal remedy in accordance with Art. 78 GDPR.